Exam SC-200 topic 4 question 3 discussion

NNY for me

NNN - KQL queries can only be run against interactive data. Total retention period is used to specify the period data needs to be archived for. Archived data cannot be accessed via KQL you have to run special Search or Restore jobs to access this data. So increasing the total retention period will have no effect on the data returned by any of the queries. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-archive?tabs=portal-3%2Cportal-1%2Cportal-2

It seems that nobody caught one aspect here: Basic tables don’t support summarize (only filtering). Query 1 would fail unless Table1 is Analytics. So first answer is YES. Second answer is NO - default interactive period for both plans is 30 days, so changing the total retention will not help. Third answer: NO, same reason as the above, plus that you cannot even go past the 30 days in the Basic plan.

NNN N (Basic has retention for 30 days, each day 2 logs * 15 days = 30 logs) N (Analytical plan has 30 days of interactive retention for custom logs by default, you`d need to change “interactive retention from default to 120 days, not total retention) N (Basic tables have a fixed interactive retention period of 30 days, need to change to Analytics Plan, not total retention) https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-configure?tabs=portal-3%2Cportal-1%2Cportal-2#interactive-long-term-and-total-retention

NNN The key piece of information here is the Interactive retention. Interactive retention period is the time range available for you to retrieve the data from the table through queries. The default interactive retention plan for each table: Analytics - 90 days for Sentinel and Application Insight Basic - 30 days

"For Query1 to return a value of 30, you must change Table plan to Analytics." Query1 targets Table1 and queries data from the last 15 days. Table1 is on the Basic plan, with a 30-day retention period. The data is within the retention period, so no change in the table plan is necessary to return a value. Answer: No "For Query2 to return a value of 240, you must change Total retention period to 120 days." Query2 targets Table2 and queries data from the last 120 days. Table2 has a retention period of 365 days, which already covers 120 days. No change is necessary for Query2 to return the value. Answer: No "For Query3 to return 90 rows, you must change Total retention period to 45 days." Query3 targets Table1 and queries data from the last 45 days. Table1 has a 30-day retention period. To retrieve data for 45 days, the retention period must be increased to 45 days. Answer: Yes

NYN: Nboth basc and Analytics can be queried (both interactive retention) Y: you shorten the retention, so older records get archived. N: in order to get the already archived logs back to interactive retention, you need to use a search job to restore them.